Dendritic cell algorithm module with inflammatory inter-node signaling

ABSTRACT

Artificial Immune Systems (AIS) including the Dendritic Cell Algorithm (DCA) are an emerging method to detect malware in computer systems. An implementation of the DCA may detect anomalous behavior in various embedded network systems. Unlike previous approaches, the DCA implementation may use an inflammation signal to communicate information among the nodes of a distributed or centralized network, where the inflammatory signal indicates a likelihood to the connected nodes that a local node has been attacked by malicious software.

FIELD OF THE DISCLOSURE

The present application relates generally to computing security, andmore particularly to malware detection systems and methods based on theDendritic Cell Algorithm (DCA).

BACKGROUND

Malware (viruses, trojans, “advanced persistent threats,” etc.)represents a significant potential risk in embedded network systems,such as, for example, computer networks in factory control systems.Safeguarding the integrity of a given network is often an important taskfor ensuring the overall safety of critical systems. As a result,detection of viruses and malware is an increasingly critical task inembedded systems.

Unfortunately, recent trends demonstrate that malware creators arewilling to dedicate significant time and resources to the disseminationof malware, and the malware can often be cloaked and hidden insophisticated ways. Usefully, viruses and hosts have been waging anon-going war in the biological domain for many centuries. The outcome ofthe biological war has been a remarkably sophisticated and subtle systemthat can quickly detect, attack, and kill harmful invaders, whilemanaging to avoid not only damage to the self, but also killing othersymbiotic organisms in the body.

Artificial immune systems (AIS) are a collection of algorithms developedfrom models or abstractions of the function of the cells of the humanimmune ne system. One category of AIS is based on the Danger Theory; andincludes the Dendritic Cell Algorithm (DCA), which is based on thebehavior of Dendritic Cells (DCs) within the human immune system. DCshave the power to suppress or activate the immune system through thecorrelation of signals from an environment, combined with locationmarkers in the form of antigen. The function of a DC is to instruct theimmune system to act when the body is under attack, policing the tissuefor potential sources of damage. DCs are natural anomaly detectors, thesentinel cells of the immune system. The DCA has demonstrated potentialas a static classifier for a machine learning data set and anomalydetector for real-time port scan detection.

The DCA has been described in a number of references, includingGreensmith, Aickelin and Twycross, Articulation and Clarification of theDendritic Cell Algorithm. In Proc. of the 5th International Conferenceon Artificial Immune Systems, LNCS 4163, 2006, pp. 404-417. Thefollowing features of the DCA differentiate the algorithm from other MSalgorithms: (1) multiple signals are combined and are a representationof environment or context information; (2) signals are combined withantigen in a temporal and distributed manner; (3) pattern matching isnot used to perform detection, unlike negative selection; and (4) cellsof the innate immune system are used as inspiration, not the adaptiveimmune cells, and unlike clonal selection, no dynamic learning isattempted.

As described in the DCA literature, DCs can perform various functions,depending on their state of maturation. Modulation between thesematuration states is facilitated by the detection of signals within thetissue, namely: (1) danger signals, (2) pathogenic associated molecularpatterns (PAMPs), (3) apoptotic signals (safe signals), and (4)inflammatory cytokines. The DCA has been implemented successfully invarious localized applications, which have made use of danger signals,PAMPs, and safe signals. However, existing DCA implementations have notmade use of signals analogous to the inflammatory cytokines of DCs inthe biological domain.

SUMMARY

The present application discloses an implementation of the DCA thatdetects anomalous behavior in various embedded network systems, rangingfrom embedded factory control systems to general computer networks.Unlike previous approaches, the DCA implementation described hereinmakes use of an inflammation signal to communicate information among thenodes of a distributed or centralized network.

In one example, a system comprises a local node, one or more connectednodes linked to the local node, and a Dendritic Cell Algorithm (DCA)module in the local lode. The DCA module comprises an inflammatorysignal indicating a likelihood to the connected nodes that the localnode has been attacked by malicious software.

The local node and connected node(s) may comprise: (a) a collection ofdiscrete computing devices, (b) a collection of logical nodes within asingle computing device, or (c) a combination of discrete computingdevices and logical nodes. The system may comprise a distributednetwork. The system may comprise a centralized network having a centralserver and a plurality of client nodes. The local node may comprise aplurality of processes operating in parallel with the DCA module. Theinflammatory signal may comprise a continuous variable having a valuewithin the range of −1 to 1. The inflammatory signal may have a strengthproportional to a degree of certainty that the local node has beenattacked by malicious software. The DCA module may comprise: a pluralityof sensors configured to measure raw sensor data; a plurality ofindicators created based on raw sensor data measured by the sensors; asignal combiner; a tissue module; and a plurality of individualdendritic cell (DC) instances. The raw sensor data may comprise computernetwork information or individual processor information. The indicatorsmay comprise one or more signals representative of a heartbeat, packetsize, network address, bandwidth, or processor load. The signal combinermay sum the indicators. The signal combiner may average the indicators.The signal combiner may determine the median value of the indicators.The tissue module may manage a store of indicator signal and antigensignal, and provides data to the plurality of DC instances.

In another example, a method is disclosed for operating a computernetwork comprising a plurality of computing nodes. The method comprisesrunning a Dendritic Cell Algorithm (DCA) module on each of the computingnodes and identifying a harmful antigen at a first computing node byobserving abnormal activity based on predetermined criteria establishedby the DCA module running on the first computing node. The methodfurther comprises transmitting an inflammatory signal from the DCAmodule of the first computing node to one or more additional computingnodes on the computer network.

The computer network may comprise a distributed network. The computernetwork may comprise a centralized network. The method may furthercomprise modulating the response to local signal changes at the one ormore additional computing nodes. Running the DCA module on eachcomputing node may comprise: initializing an individual Dendritic Cell(DC) instance within the DCA module; receiving raw sensor data fromsensors of the DCA module; creating an antigen signal in a dataprocessing event; processing the raw sensor data to create an indicatorsignal comprising a vector of the following signals: (a) PAMP, (b)Danger, (c) Safe, and (d) Inflammation signal; passing the indicatorsignal to a signal transformation event; passing the antigen signal toan antigen sampling event; correlating the indicator signal and sampledantigen signals based on their time stamps; and determining whether amaturation threshold has been reached and, if so, changing the DCinstance from a correlating state to an information presenting state.The antigen signal may represent a program name, a file name, or anetwork address of a node.

In another example, a method is disclosed for operating a Dendritic CellAlgorithm (DCA) module on a first computing node linked to a computernetwork. The method comprises: monitoring an indicator signal comprisinga vector of PAMP, Danger, and Safe signals, collected locally at thefirst computing node; receiving an inflammation signal from a secondcomputing node linked to the computer network; and creating and agingout a plurality of individual Dendritic Cell (DC) instances. The methodfurther comprises: calculating an overall mature context antigen value(MCAV) of the first computing node as individual DC instances age out;and transmitting a current node status signal to one or more additionalnodes linked to the computer network.

The method may further comprise determining whether the MCAV of thefirst computing node is above a selected threshold before transmittingthe current node status signal to one or more additional nodes linked tothe computer network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating one example of a computing nodecomprising a Dendritic Cell Algorithm (DCA) module.

FIG. 2 is a block diagram illustrating one example of a DCA module.

FIG. 3 is a flow chart illustrating a method of operating of anindividual DC within a DCA module.

FIG. 4 is a timing diagram illustrating the operation of a plurality ofdendritic cell instances operating in parallel.

FIGS. 5A and 5B are block diagrams illustrating examples of networkswith a plurality of computing nodes including DCA modules.

FIG. 6 is a flow chart illustrating the operation of a plurality ofnodes in a network communicating signals generated by one or more DCAmodules.

FIG. 7 is a flow chart illustrating the operation of a central server ina network having one or more nodes with a DCA module.

While the disclosure is susceptible to various modifications andalternative forms, specific embodiments have been shown by way ofexample in the drawings and will be described in detail herein. However,it should be understood that the disclosure is not intended to belimited to the particular forms disclosed. Rather, the intention is tocover all modifications, equivalents and alternatives falling within thespirit and scope of the invention as defined by the appended claims.

DETAILED DESCRIPTION

The present application discloses an implementation of the DCA thatmakes use of a known, but previously unused, feature of the DCA:inflammation, to signal of a possible attack among nodes of adistributed or a centralized network. As used herein, the term “network”may refer to a system with a plurality of discrete computing devices, aplurality of logical nodes within a single computing device (e.g., aplurality of virtual machines, individual computing processes, etc.),and/or a combination of discrete computing devices and logical nodes.

In some cases, as described below, each individual node within a networkruns an instantiation of the DCA, which gathers “signals” from the localnode, and regularly determines the potential for a particular “antigen”to be harmful, based on pre-determined criteria. The nodes are linkedtogether through a network or other channels of communication. When ananomaly is detected by one node, it propagates an inflammation signal toother nodes on the network. This inflammation signal merely posits thatan attack has been detected, but does not carry any details of thenature or mode of the attack. This approach helps to put other nodes onalert to be more sensitive to anomalous behavior, while minimizing therisk of confirmation bias.

FIG. 1 is a block diagram illustrating one example of a computing node100 comprising a Dendritic Cell Algorithm (DCA) module 105. In somecases, the computing node 100 may comprise a discrete computing device(e.g., desktop computer, notebook computer, etc.), which may communicatewith similar computing devices in a network. In other cases, thecomputing node 100 may comprise a logical “node” (e.g., virtual machine,computing process, etc.), which may operate in parallel with similarlogical nodes within a single computing device. Therefore, as describedabove, a network of computing nodes may comprise a collection ofdiscrete computing devices, a collection of logical nodes within asingle computing device, and/or a combination of the two.

In the illustrated example, the computing node 100 comprises a pluralityof processes 155 (labeled Process 1 through Process N FIG. 1) operatingin parallel with the DCA module 105 within the computing node 100. Inaddition, the DCA module 105 comprises a plurality of sensors 110,indicators 115, a tissue module 120, and a plurality of individualdendritic cell (DC) instances 125. The operation and interaction of thecomponents of the DCA module 105 are described below.

FIG. 2 is a block diagram illustrating one example of a DCA module 105.In the example illustrated in FIG. 2, the DCA module 105 comprises aplurality of sensors 110, which measure raw sensor data, such as, forexample, computer network information (e.g., packet data, etc.) and/orindividual processor information. As shown in FIG. 2, the raw sensordata can be used to create a selected number of DCA indicators 115(labeled Indicator 1 through Indicator N in FIG. 2), which may representa wide variety of parameters. For example, in some cases, Indicator 1may comprise a heartbeat or “keep alive” signal, Indicator 2 maycomprise a packet size signal, and Indicator N may comprise a signalrepresenting a sender's network address. Other examples of suitableindicators 115 may include signals indicative of parameters such asbandwidth, processor load, etc.

As shown in FIG. 2, the indicators 115 are combined by a signal combiner130, which may perform a variety of suitable combination functions. Forexample, in some cases, the signal combiner 130 may sum the indicators115, whereas in other cases, the signal combiner 130 may average theindicators 115. As yet another example, the signal combiner 130 maydetermine the median value of the indicators 115. Using a suitablecombination function, the signal combiner 130 creates an aggregatedindicator signal 135, which is provided as an input to the tissue module120. In addition, the raw sensor data is used by an antigen generator140 to create an antigen signal 145, which is also provided as an inputto the tissue module 120.

An aggregated signal 135 and antigen 145 are created for each individualraw sensor “event.” For example, in the case of network traffic, a rawsensor event r may comprise a packet, whereas in the case of processorload, a raw sensor event may comprise a selected time period (e.g., 0.1seconds, etc.). The tissue module 120, in turn, includes a temporalcombiner 160, which combines an array of one or more aggregatedindicator signals 135 received over time, to generate a “DC-Seen” signal165. In some cases, the temporal combiner 160 may average the aggregatedindicator signals 135, whereas in other cases, the temporal combiner 160may determine the maximum or median of the aggregated indicator signals135. The temporal combiner 160 includes a “look back” period, which maycorrespond to selected time period or number of events.

In operation, the tissue module 120 manages the indicator signal 135 andthe antigen signal 145, and provides the DC-Seen signal 165 to aplurality of individual DC instances 125 located in a plurality of DCslots 150 (labeled DC Slot 1 through DC Slot N in FIG. 2). As theindividual DC instances 125 age out, they present the resulting databack to the tissue module 120, which aggregates the data across theplurality of individual DC instances 125.

FIG. 3 is a flow chart illustrating an example of a process 300 foroperating an individual DC instance 125 within a DCA module 105. In afirst step 305, the DC instance 125 is created and initialized. Duringoperation of the DC instance 125, as indicated at block 310, raw sensordata is provided by the sensors 110 of the DCA module 105. In a dataprocessing event 315, an antigen signal 145 is created by the antigengenerator 140, and the raw sensor data is processed to create anindicator signal 135. The antigen signal 145 typically represents anexisting attribute of the system on which the DC instance 125 operates,such as, for example, the name of a program installed on the computingnode 100, a file name, an address of another node 100 on the samenetwork, etc. In addition, as known in the DCA art, the indicator signal135 may comprise a vector of the following signals: (a) PAMP, (b)Danger, (c) Safe, and (d) Inflammation signal.

The indicator signal 135 is passed to a signal transformation event 320.The antigen signal 145 is passed to an antigen sampling event 325. Ineach DC instance 125, a sing e indicator signal 135 and zero, one ormore antigen signals 145 can be fed to the DC instance 125. Theprocessed indicator signals 135 and sampled antigen signals 145 arecorrelated by a temporal correlation event 330 based on their timestamps. In a decision block 335, the process 300 determines whether amaturation threshold has been reached. If not, the process 300 returnsto the data processing event 315. The DC instance 125 repeats the eventsdescribed above cyclically, until the maturation threshold is reached,which indicates that the DC instance 125 has acquired sufficientinformation for decision making.

Once the DC instance 125 reaches its maturation threshold, the DCinstance 125 changes from a correlating state to an informationpresenting state. Based on the indicator signals 135 and the antigensignals 145 correlated by the temporal correlation event 330, the DCinstance 125 determines whether any potential anomalies appeared withinthe input data. The results of this decision are presented by aninformation presenting event 340 as the output of the DC instance 125,as indicated at block 345. In a final step 350, the DC instance 125 isterminated, marking the end of the lifespan of the DC instance 1125. Inmany cases, the process 300 then returns to step 305, in which anotherDC instance 125 is created and initialized, and the process 300 isrepeated.

FIG. 4 is a timing diagram illustrating the operation of a plurality ofDC instances 125 (labeled DC_(1A) through DC_(NF) in FIG. 4), operatingin parallel. In the illustrated example, the timing diagram includes atime axis beginning at time t₀ and divided into 10 substantially equalunits. Each unit on the time axis may represent an interval such as 0.5seconds, 1 second, 5 seconds, 10 seconds, or any other suitable timeinterval.

As described above, the DCA module 105 comprises a plurality of DC slots150, in which the individual DC instances 125 operate. Each individualDC instance 125 has a randomly selected threshold (typically within apredetermined range) to “age out,” or transition from the correlatingstate to the information presenting state (as determined in decisionblock 335 of FIG. 3). For instance, DC instance DC_(1A) may have athreshold of about 4 units, DC instance DC_(1B) may have a threshold ofabout 9 units, DC instance DC_(1C) may have a threshold of about 6units, and so on. As shown in FIG. 4, all of the DC instances 125 startat the same time, t₀, but they age out at different times, as determinedby their respective maturation thresholds. For example, DC instanceDC_(NA) ages out at time t₂, DC instance DC_(1A) ages out at time t₃, DCinstance DC_(3A) ages out at time t₅, DC instance DC_(2A) ages out attime t₆, and so on.

FIG. 5A is a block diagram illustrating one example of a distributedcomputer network 505A (e.g., peer-to-peer network, ad hoc wirelessnetwork, etc.), having a plurality of nodes 100, each including nDendritic Cell Algorithm (DCA) module 105. In the particular exampleillustrated in FIG. 5A, the distributed network 505A comprises six nodes100A-100F that are interconnected as shown. Any individual node 100 maybe in communication with any other node 100 (or multiple other nodes100) in the distributed network 505A. For example, node 100B is incommunication with four other nodes 100 (i.e., nodes 100A, 100C, 100E,100F), whereas node 100D is in communication with only one other node100 (i.e., node 100C). Those of ordinary skill in the art willunderstand that the distributed network 505A may include a greater orfewer number of nodes 100, and that the interconnections betweenindividual nodes 100 may vary widely from the example shown in FIG. 5A.

FIG. 5B is a block diagram illustrating one example of a centralizedcomputer network 505B (e.g., client-server network, etc.), having acentral server 510 in communication with a plurality of clients or nodes100, each including a DCA module 105. In the particular exampleillustrated in FIG. 5B, the centralized network 505B comprises six nodes100G-100L in communication with the central server 510 in a star networktopology. Those of ordinary skill in the art will understand that thecentralized network 505B may include a greater or fewer number of nodes100, and that a variety of other suitable network topologies (e.g., busnetwork, ring network, etc.) may be employed.

In operation, the DCA modules 105 of the individual nodes 100 of eitherthe distributed network 505A or the centralized network 505B constantlymonitor for abnormal activity, which may be identified as a harmfulantigen based on selected criteria, as described above in connectionwith FIG. 3. When such a harmful antigen is identified at a particularnode 100, the corresponding DCA module 105 may transmit an inflammatorysignal to the remaining nodes 100 on the network 505.

This inflammatory signal is analogous to the human immune system'sinflammatory cytokines (e.g., interferon, tumor necrosis factor, etc.).The inflammatory signal is used to indicate to other nodes 100 that apossible attack is underway, and for the other nodes 100 to modulatetheir response to local signal changes. The inflammatory signal ispreferably a continuous variable, which may range from −1 to 1 in somecases. Negative values can be used to indicate that an event shouldreduce the response to a given stimulus. For example, installing orupgrading a piece of software may often appear to be a malware attack,so a negative inflammatory signal value may be used to reduce theresponse for this particular event. The inflammatory signal is raisedwhen one or more antigens have been detected as a possible invader, or aknown event has occurred. The strength of the inflammatory signal may beproportional to the degree of certainty of the attack or the degree ofseverity of the attack.

In some cases, when the DCA module 105 of a node 100 of the centralizednetwork 505B generates an inflammatory signal, the affected node 100 maytransmit the inflammatory signal to the central server 510, which may,in turn, “broadcast” the inflammatory signal to all the other nodes 100of the centralized network 505B. In other cases, when the DCA module 105of a node 100 of the distributed network 505A generates an inflammatorysignal, the affected node 100 may transmit the inflammatory only to thedirectly connected nodes 100 of the distributed network 505A.

For example, if the DCA module 105E of the node 100E generated aninflammatory signal, the node 100E may transmit the inflammatory signalto only the three directly connected nodes 100 (i.e., nodes 100B, 100C,100F). In some cases, the receiving nodes 100 (i.e., nodes 100B, 100C,100F, in this particular example) may further broadcast the inflammatorysignal to other nodes 100, possibly with a decay factor to ensureagainst a feedback loop. The receiving nodes 100 may use theinflammatory signal to modulate the other indicator signals 135collected for their respective DCA modules 105.

Like the human immune system, the inflammatory signal does not containdetails about the specifics of the possible attack. Rather, theinflammatory signal merely indicates that a given node 100 may beexperiencing something unexpected or problematic. Such an indicationadvantageously reduces the likelihood of so-called confirmation bias,i.e., a situation in which a node 100 is more likely to find aparticular pattern increasing the sensitivity of the particular patternsearch. In addition, if an attack is localized to a particular node 100,other nodes 100 that are unaffected will not be unfairly penalized.

FIG. 6 is a flow chart illustrating the operation of a plurality ofnodes 100 in a computer network 505 communicating signals generated byone or more DCA modules 105. In the illustrated example, the process 600begins with a first step 605, in which the DCA module 105 of a givennode 100 is initialized. In a next step 610, the DCA module 105 monitorsthe local indicator signals 135 (e.g., PAMP, Danger, and Safe) collectedlocally at the node 100. In a next step 615, the DCA module 105 receivesan inflammation signal, which may be sent from another node 100 of adistributed network 505A or from the central server 510 of a centralizednetwork 505B, as described above. In a next step 620, the DCA module 105runs according to its respective schedule, with individual DC instances125 in corresponding DC slots 150 being created and aging out atdifferent intervals, as shown in FIG. 4. In a next step 625, asindividual DC instances 125 age out, the DCA module 105 calculates anoverall mature context antigen value (MCAV) of the computing node 100.

In some cases, the process includes an optional step 630, in which adetermination is made as to whether the MCAV is above a selectedthreshold, T_(MCAV). If not, the process returns to step 610 and repeatsuntil the MCAV exceeds the selected threshold before proceeding to step635. In other cases, the process proceeds directly to step 635, in whichthe DCA module 105 transmits the current node status signal to othernodes 100, regardless of whether the overall MCAV exceeds a threshold.In such cases, the current node status signal may indicate danger ordistress at the transmitting node 100, or it may indicate simply thatthe transmitting node 100 is functioning normally. Accordingly, the DCAmodule 105 of a given node 100 can provide virtually continuous statusupdates to other nodes 100 of the network 505. In the case of adistributed network 505A, the DCA module 105 transmits the current nodestatus signal to other connected nodes 100, whereas in the case of acentralized network 505B, the DCA module 105 transmits the current nodestatus signal to a central server 510.

FIG. 7 is a flow chart illustrating the operation of a central server510 in a centralized computer network 505B having one or more nodes 100with a DCA module 105. In a first step 705 of the process 700, thecentral server 510 monitors for status signals from one or more nodes100. As described above in connection with FIG. 6, such status signalsmay be generated and transmitted by the DCA module 105 of a node 100following the calculation of t MCAV (e.g., at step 635 or 640 of FIG.6). In a next step 710, a determination is made as to whether any newstatus signals have been received. If not, the process returns to thelistening step 705 and repeats until anew status signal is received.Once that occurs, as shown at step 715, a new global inflammation signalis calculated for the centralized network 505B.

In some cases, the process includes an optional step 720, in which adetermination is made as to whether the magnitude of the globalinflammation signal is above a selected threshold, T_(GLOBAL). If not,the process returns to the listening step 705 and repeats until themagnitude of the inflammation signal exceeds the selected threshold,T_(GLOBAL). In other cases, the process proceeds directly to step 725,in which the central server 510 transmits the inflammation signal to thenodes 100 of the network 505B, regardless of whether the magnitude ofthe inflammation signal exceeds a threshold. Accordingly, the centralserver 510 can provide virtually continuous updates to the nodes 100 ofthe network 505B regarding the inflammation signal.

The systems and methods described above demonstrate a number of distinctadvantages over previous approaches. For example, the DCA module 105 ofthe present application demonstrates consistently positive results,i.e., higher rates of detection, with lower rates of false positives,when compared with previous DCA implementations. In addition, the DCAmodule 105 exhibits a higher speed of detection that previous DCAimplementations, especially in embedded network systems. Furthermore,the DCA module 105 can be run with minimal processor and memoryrequirements.

Although various embodiments have been shown and described, the presentdisclosure is not so limited and will be understood to include all suchmodifications and variations are would be apparent to one skilled in theart.

What is claimed is:
 1. A system comprising: a local node; one or moreconnected nodes linked to the local node; and a Dendritic Cell Algorithm(DCA) module in the local node, the DCA module comprising aninflammatory signal indicating a likelihood to the connected nodes thatthe local node has been attacked by malicious software.
 2. The system ofclaim 1, wherein the local node and connected node(s) comprise: (a) acollection of discrete computing devices, (b) a collection of logicalnodes within a single computing device, or (c) a combination of discretecomputing devices and logical nodes.
 3. The system of claim 1, whereinthe system comprises a distributed network.
 4. The system of claim 1,wherein the system comprises a centralized network having a centralserver and a plurality of client nodes.
 5. The system of claim 1,wherein the local node comprises a plurality of processes operating inparallel with the DCA module.
 6. The system of claim 1, wherein theinflammatory signal comprises a continuous variable having a valuewithin a range of −1 to
 1. 7. The system of claim 1, wherein theinflammatory signal has a strength proportional to a degree of certaintythat the local node has been attacked by malicious software.
 8. Thesystem of claim 1, wherein the DCA module comprises: a plurality ofsensors configured to measure raw sensor data; a plurality of indicatorscreated based on raw sensor data measured by the sensors; a signalcombiner; a tissue module; and a plurality of individual dendritic cell(DC) instances.
 9. The system of claim 8, wherein the raw sensor datacomprises computer network information or individual processorinformation.
 10. The system of claim 8, wherein the indicators compriseone or more signals representative of a heartbeat, packet size, networkaddress, bandwidth, or processor load.
 11. The system of claim 8,wherein the signal combiner sums the indicators.
 12. The system of claim8, wherein the signal combiner averages the indicators.
 13. The systemof claim 8, wherein the signal combiner determines the median value ofthe indicators.
 14. The system of claim 8, wherein the tissue modulemanages a store of indicator signal and antigen signal, and providesdata to the plurality of DC instances.
 15. A method of operating acomputer network comprising a plurality of computing nodes, the methodcomprising: running a Dendritic Cell Algorithm (DCA) module on each ofthe computing nodes; identifying a harmful antigen at a first computingnode by observing abnormal activity based on predetermined criteriaestablished by the DCA module running on the first computing node; andtransmitting an inflammatory signal from the DCA module of the firstcomputing node to one or more additional computing nodes on the computernetwork, wherein the inflammatory signal indicates a likelihood to theone or more additional computing nodes that the first computing node hasbeen attacked by malicious software.
 16. The method of claim 15, whereinthe computer network comprises a distributed network.
 17. The method ofclaim 15, wherein the computer network comprises a centralized network.18. The method of claim 15, further comprising modulating the responseto local signal changes at the one or more additional computing nodes.19. The method of claim 15, wherein running the DCA module on eachcomputing node comprises: initializing an individual Dendritic Cell (DC)instance within the DCA module; receiving raw sensor data from sensorsof the DCA module; creating an antigen signal in a data processingevent; processing the raw sensor data to create an indicator signalcomprising a vector of the following signals: (a) pathogenic associatedmolecular patterns (PAMP), (b) Danger, (c) Safe, and (d) Inflammationsignal; passing the indicator signal to a signal transformation event;passing the antigen signal to an antigen sampling event; correlating theindicator signal and sampled antigen signals based on their time stamps;and determining whether a maturation threshold has been reached and, ifso, changing the DC instance from a correlating state to an informationpresenting state.
 20. The method of claim 19, wherein the antigen signalrepresents a program name, a file name, or a network address of a node.21. A method of operating a Dendritic Cell Algorithm (DCA) module on afirst computing node linked to a computer network, the methodcomprising: monitoring an indicator signal comprising a vector of PAMP,Danger, and Safe signals, collected locally at the first computing node;receiving an inflammation signal from a second computing node linked tothe computer network, wherein the inflammation signal indicates alikelihood that the second computing node has been attacked by malicioussoftware; creating and aging out a plurality of individual DendriticCell (DC) instances; calculating an overall mature context antigen value(MCAV) of the first computing node as individual DC instances age out;and transmitting a current node status signal to one or more additionalnodes linked to the computer network.
 22. The method of claim 21,further comprising determining whether the MCAV of the first computingnode is above a selected threshold before transmitting the current nodestatus signal to one or more additional nodes linked to the computernetwork.